In an 11-story office building in the Washington suburbs, hundreds of U.S. cybersecurity analysts work around the clock to foil hackers. Possible breaches of government networks show up as red flashes on screens that line the walls.
Something big is coming, some of the analysts say.
They’re speaking not of any imminent hack, but of what they see as a chance to expand their influence. So far, their five- year-old National Cybersecurity and Communications Integration Center has largely occupied itself monitoring threats to government networks. Now, with backing on Capitol Hill, it is poised to bolster its role as an anti-hacking coordinator between U.S. banks, utilities and other companies operating the networks that millions of Americans use daily.
“If we don’t know what’s going on, we can’t respond to it,” Larry Zelvin, director of the center, said in an interview. “Sometimes we don’t know about an attack until it comes up in the news or social media.”
U.S. lawmakers are fast-tracking a measure that would legally protect companies that tell the center and each other about malicious activities on their networks. The legislation is designed to address industry executives’ concerns that disclosing these vulnerabilities could expose them to lawsuits or regulators’ scrutiny, or that certain communications with competitors could invite antitrust actions.
The House has passed the measure and a Senate committee plans to take it up in July. The bill’s chief sponsors say they believe they have the momentum to get it onto President Barack Obama’s desk this year.
While companies won’t be obligated to participate, there’s clearly a need. Cybercrime costs banks, retailers, energy companies and others as much as $575 billion a year and rising, according to a report published June 9 by the Washington-based Center for Strategic and International Studies and sponsored by network security company McAfee Inc.
In two classified exercises in recent years, teams of computer experts quickly brought the U.S. economy to its knees using malware widely available on the Internet, said a participant who requested anonymity because the tests remain classified. Simply shutting down electronic banking, including automated-teller machines and the Federal Reserve’s ability to move money, resulted in simulated runs on local banks, the participant said.
There is resistance to putting a federal cybercenter at the heart of anti-hacking efforts. Some industry officials who work with the government are skeptical that the center, which is run by the Department of Homeland Security, has the staff or resources to do the job.
“There are a lot of people in industry that frankly are not comfortable sharing with DHS,” Robert Dix, vice president of government affairs for Juniper Networks Inc., said in a phone interview. “There’s also concern about whether or not the information will be protected.”
Many privacy advocates worry that expanded information sharing would enable the government to vacuum up personal information of Americans without warrants. The cybercenter works with National Security Agency liaisons, who are in the building. The NSA is facing a domestic and international backlash over the extent of its spy programs, exposed by former government contractor Edward Snowden, which include interception of e-mails and Americans’ phone records.
The DHS was created after the attacks of Sept. 11, 2001, with a mission, it says, to ensure security against terrorism and other hazards and to safeguard cyberspace. Zelvin said the center doesn’t have authorization, ability or desire to peer into companies’ networks.
Zelvin said the center works “with the NSA and the rest of the intelligence community in a responsible way.” The center doesn’t seek data that identifies people, he said.
“We’re all about finding the hole, plugging the hole and making sure the hole doesn’t come back,” said Zelvin, a stout former Navy pilot with rapid-fire speech. “I don’t need your name to do that. I don’t need to know where you live.”
Rather, Zelvin said, he is hoping that companies will allow the center to expand its coordinator role — and that the new legislation will hasten work he says his center is positioned to handle.
On average, attackers were inside a victim’s network for 229 days in most cases before being detected, according to FireEye Inc., a network security company.
Currently, Zelvin said, it can take three days at times for the center to negotiate a legal agreement to offer assistance to a company under attack, Zelvin said. “My number one concern is speed,” he said.
The center, with an annual budget of about $163 million, isn’t the only government agency with cyberchops. The Federal Bureau of Investigation, for example, builds criminal cases against hackers. Intelligence agencies have acknowledged hacking into foreign networks.
The DHS created the cybersecurity center in part to coordinate efforts to protect federal civilian networks such as the Social Security Administration or the Department of Health and Human Services. About 500 analysts and contractors work at the center in Arlington, Virginia, six miles from the White House. Among other things, they monitor threat levels — green, yellow, red — to government networks using its Einstein intrusion-detection system.
Analysts huddle around wall-free workstations to view classified NSA intelligence about the operations of foreign hackers. Space-weather reports alert them to solar flares that can knock out satellites, interrupting global communications.
The center had a data feed from social-media websites such as Twitter Inc., to assess chatter potentially related to cyber- attacks. It stopped using it, Zelvin said, while it evaluates the privacy implications.
Zelvin and others want the center to expand is its work with companies in what DHS defines as the nation’s 16 critical infrastructure sectors, including finance, energy and communications. Once the center receives information from companies about possible attacks on private networks, analysts can help mitigate them.
The center has received reports of more than 340,000 potential hacking incidents affecting private and government computers since October 2012. Based on these, it has issued some 12,000 security alerts which, depending on the threat, are e- mailed to companies and government or posted on websites.
While those numbers “sound impressive,” the alerts don’t offer companies detailed analysis about specific hacking tactics, said Dix of Juniper Networks. “They want information provided, but nothing of any value comes back,” he said.
Although Dix gives Zelvin credit for trying to improve the center, he said it’s failing to meet goals laid out in 2012 by a White House advisory group to integrate government and industry anti-hacking efforts.
Instead, the center has signed individual agreements with different companies. It hosts representatives each day from four of the 16 sectors.
Among them is a representative from the Financial Services Information Sharing and Analysis Center, a banking group. The representative, who has classified security clearance, sends threat warnings to the banking group and also informs the center about possible threats experienced by member banks — giving details like malicious network addresses but not the banks’ names — said Bill Nelson, the group’s president.
The center helped banks deal with so-called distributed denial-of-service attacks that temporarily knocked their websites offline in 2012 and 2013, Nelson said. “By having our guy there, we’ve been able to actually thwart attacks,” he said by telephone.
The nonprofit is spending $4.5 million to develop an automated system for banks to share information about malicious network activity and update their defenses in real time, Nelson said. The DHS’s center could be part of it, he said.
The Senate’s intelligence committee could vote on the information-sharing bill as early as July 10.
The American Civil Liberties Union and nearly two dozen other privacy advocates told committee leaders in a June 26 letter they “strongly oppose” the bill because it could allow private communications to flow to the NSA and law-enforcement agencies. It also doesn’t have adequate controls to protect personal data or limit how information is used, and gives companies overly broad liability protection, the groups wrote.
“Cybersecurity information-sharing legislation should be written such that only cybersecurity threat information is shared with the government and it’s done in a privacy protecting way,” Robyn Greene, policy counsel for the Open Technology Institute, said in a phone interview.
Zelvin underscores that the center’s focus isn’t personal data but seeking to prevent a digital attack that he believes could rival or surpass Sept. 11.
“What I most worry about is we may rush to legislation after” a large cyber-attack, he said. “It would be much better to be more thoughtful now.”
–With assistance from John Walcott in Washington.